Cyber threats of the week: USB worm for stealing cryptocurrencies, new Android trojan, and Beats Studio Buds vulnerability

This week, the cybersecurity world faced a series of serious threats targeting cryptocurrency owners. From self-replicating USB worms to sophisticated Android trojans, attackers continue to refine their methods. Let's break down the key events.
USB Worm: A New Threat for Cryptocurrency Owners
Microsoft experts identified a dangerous campaign using a self-replicating USB worm. Infection begins when a victim opens a modified shortcut file (.LNK) on a USB drive. After that, the worm stealthily installs additional malware from a server in the .onion domain zone.
The malware scans the system for user documents, hides the originals, and replaces them with malicious shortcuts bearing the same names. Thus, every time a user tries to open their files, the software activates. For self-propagation, the worm creates a task that monitors the connection of new USB drives and instantly copies itself onto them.
The stealer activates only if the "Task Manager" is not running on the system. It uses built-in Tor to communicate with the command server and monitors the clipboard every half second for BIP39 seed phrases and wallet addresses for Bitcoin, Ethereum, Tron, and Monero. Upon detecting an address, it replaces it with the attacker's details. Every ten seconds, the virus takes five screenshots and sends them to the hackers.
My Expert Opinion: This worm is a prime example of how classic infection methods via USB drives are adapting to modern realities. The use of Tor for hidden communication and the substitution of wallet addresses with visually similar characters make it particularly dangerous. Users should be extremely cautious when using foreign USB drives.
Rokarolla: A New Android Trojan with Extensive Capabilities
Researchers from Zimperium discovered the Rokarolla trojan, targeting cryptocurrency theft. Its arsenal includes 137 remote commands, allowing it to intercept PIN codes, read and send SMS, manipulate the clipboard, and disable OS security mechanisms.
The trojan spreads through malicious websites disguised as installers for popular apps like TikTok and Google Chrome. In the first stage, the victim downloads a program that mimics the system component Google Play Protect. Using social engineering, the dropper forces the user to grant access to "Accessibility Services," after which it deploys the main payload and disables the real Play Protect scanner.
Rokarolla downloads fake HTML login pages for each active app from a target list. When the victim opens a legitimate crypto wallet, the trojan overlays it with a fake window and intercepts the credentials. Particularly dangerous is the overlay mimicking the standard Android lock screen, allowing theft of the PIN or pattern key. For cryptocurrency theft, a built-in clipper is used, which replaces wallet addresses in the clipboard.
My Expert Opinion: This trojan demonstrates how sophisticated attacks on mobile devices have become. The key point is gaining access to "Accessibility Services." This should be a red flag for any Android user.
Vulnerability in Beats Studio Buds: Eavesdropping Risk
Apple released a firmware update for its wireless Beats Studio Buds headphones, fixing the vulnerability CVE-2025-20701. The flaw, discovered by SentinelOne experts, allowed attackers within Bluetooth range to connect to the headphones without user consent and use the built-in microphone for espionage.
The issue is related to incorrect authorization in the Bluetooth audio SDK. The vulnerability gave hackers almost complete control over the device, including the ability to read and overwrite memory, as well as intercept trust relationships with paired smartphones.
My Expert Opinion: This vulnerability is a reminder that even seemingly harmless devices like headphones can become an entry point for an attack. Regularly updating the firmware of all Bluetooth devices is a mandatory practice for ensuring security.